11-17-2008 12:46 PM
I have a SSG5 Screen OS 6.2.0 running in Failover mode, everything works fine.
But I have been hit up with a scenario, that I do not know if it is possible.
Eth 0/0 ISP1
Eth 0/1 ISP2
Can I have a VPN on Eth 0/0 that if ISP1 goes down, will failover to Eth 0/1 ISP2? (Simply Yes, but please read on)
While with the above VPN failover, can I have all other traffic go out Eth 0/1 ISP2, and fail over to Eth 0/0 ISP1 if ISP2 goes down?
Hope that makes sense.
Thanks In Advance for any responses.
11-17-2008 03:39 PM - edited 11-17-2008 04:12 PM
Absolutely, that's cake. It's all routing once you have the tunnel's setup across each ISP. Your routing entries would simply use metrics and/or preferences and have a higher metric/preference for one tunnel interface over the other. Once that VPN drops, the higher preferred route will become inactive and the secondary route will become active. It's effectively the same thing with the un-encrypted traffic. But your question is also the same result, if ISP1 goes down then everything will failover to ISP2, and then will failback to ISP1 once it comes back up. The tunnel will inherently fail because outbound traffic is horked altogether.
So, your VPN routing entries could look like this:
set route 192.168.1.0/24 int tunnel.1 preference 20 metric 20
set route 192.168.1.0/24 int tunnel.2 preference 20 metric 30
You could also do two default routes for Internet traffic, either with equal (possibly also using ECMP) or un-equal preferences.
set route 0.0.0.0/0 int e0/0 gate 18.104.22.168 preference 20 metric 20
set route 0.0.0.0/0 int e0/1 gate 22.214.171.124 preference 20 metric 30
Just a start, let me know if I misunderstood your goal.
11-21-2008 08:58 AM - edited 11-21-2008 08:59 AM
That sounds exactly like what I need.
So if I understand you, and what needs to be done.
I will do this by frist doing away with "Backup" since backup/failover mode keeps one port in "Down" state.
And just keep them both "up" ports and then do the routing you indicated?
Same person as original poster, but is says my Forums Alias is in use by another account.
11-21-2008 09:14 AM - edited 11-21-2008 04:36 PM
Keep everything like you have it and just implement some basic routes as I mentioned. The interfaces will always be up, but the routes that have a higher metric/preference will be inactive until you have a link down state. Now, that being said this brings up a point that I failed to mention earlier.
If you don't have a link down, the first default route will always stay active. So you will also need to implement track-ip on the primary and/or secondary ISP interfaces. Track-ip will monitor via ping (default) a device upstream from the firewall and/or router and if it's unreachable, it can cause a failover to the second monitored interface. Your other option is to implement a link state routing protocol to detect a bad route and cause routing to reconverge and choose a different path.
A completely different option altogether is to implement PBR and/or source based routing, but start with the first suggestion, modify it with the track-ip I mentioned and see if that meets your requirements. If not, build off of that.